Security researcher offers a different take on warning of secret Galaxy spy code.

Share this story

On Wednesday, developers of an alternative version of Google's Android mobile operating system published a startling claim: Samsung's S3, Note 2, and seven other models of Galaxy smartphones contained a backdoor that provides remote access to virtually all data stored on the devices. The code that allows access, which controls the phones' baseband or modem processors, made it possible to remotely read, write, or even modify users' files.

"Provided that the modem runs proprietary software and can be remotely controlled, that backdoor provides remote access to the phone's data, even in the case where the modem is isolated and cannot access the storage directly," Paul Kocialkowski, one of the Free Software Foundation (FSF) developers who reported the finding, wrote in a separate post. "This is yet another example of what unacceptable behavior proprietary software permits!" Going on to plug the Android replacement known as Replicant, he continued: "Our free replacement for that non-free program does not implement this backdoor. If the modem asks to read or write files, Replicant does not cooperate with it."

To get a second opinion, Ars turned to Dan Rosenberg, a senior security researcher at Azimuth Security, who specializes in the reverse engineering of Unix and embedded devices. While he expanded the list of affected phones to include Samsung's more recent S4 and Note 3 models, he largely dispelled the claims that the software provided a backdoor that could be used to compromise users' privacy or security. What follows is an e-mail interview conducted early Thursday.

Ars: What's your overall take?

Rosenberg: I think calling this a "backdoor" is a bit far-fetched, much less one that can allow parties to remotely access data from your phone. This claim can be debunked with three crucial facts:

1. There is virtually no evidence for the ability to remotely execute this functionality. The write-up states, "As the modem is running proprietary software, it is likely that it offers over-the-air remote control that could then be used to issue the incriminated RFS messages and access the phone's file system." (When people are referring to "RFS commands" in the context of this issue, they're talking about the proprietary protocol Samsung implemented to allow the baseband to communicate with the application processor (AP) and vice versa—in particular the commands that allow reading and writing files on the AP.) However, the authors provide no evidence of such a "remote control" mechanism. The FSF has a known agenda against proprietary software, and I think that agenda resulted in them creating a narrative that would cause perhaps more outrage than is warranted.

2. The amount of data that can be read or written to by this functionality is very limited. On all affected models except the original Galaxy S, which was released 4 years ago, the affected radio software is running under the "radio" user. As a result, this can only be used to access data specifically related to radio functionality, plus information stored on the SD card (because this is also readable by every application on the phone).

3. The specifics of the vulnerability suggest that it was poorly programmed legitimate functionality rather than a secret backdoor. The authors had to leverage a directory traversal flaw in the handling of modem commands in order to cause the radio software to write outside of the /efs/root directory, which contains radio-related files. This suggests that the intended purpose of this functionality was rather mundane and not at all malicious, and that it was simply poorly implemented.

What is the total list of models that are affected?

The only models that I'm aware are affected are those mentioned in the writeup, plus the Galaxy Note 3 and Galaxy S4.

Do phones made by other manufactures have the same type of backdoor design and/or behavior reported here?

In a cursory glance I made on phones by a few other vendors, this type of functionality was not present, but since I haven't done an in-depth evaluation, it's definitely not out of the question.

How worrisome is the design and behavior reported by these developers? Is there any legitimate reason for this backdoor to exist?

The legitimate reason appears to be to allow the modem to write diagnostic files to Android storage in order to assist with identifying and fixing problems with the modem.

Is it widely agreed that a phone's modem should never be able to access storage?

This is a security boundary that hasn't really been formally defined in many cases. In general, best practices would dictate that neither the application processor nor the baseband should be able to negatively influence each other or access sensitive information from the other, but I wouldn't be surprised if there are other ways the baseband can mess with the AP.

Who might be able to exploit the backdoor?

If a carrier, OEM, or attacker had the ability to execute arbitrary code on an affected device's baseband processor (a big "if"), that party could then leverage this flaw to read and write the aforementioned mostly non-sensitive files on the phone's storage.

Promoted Comments

Come on, this is dumb. If someone compromises your baseband processor, they have the keys to the kingdom already. They can do things like listen to all your calls, cause you to make calls, monitor all your data, and so forth. A "vulnerability" that requires you to compromise the baseband process is not a vulnerability at all. It's like saying that if someone broke into your house, then it's a "vulnerability" that they could access your fridge without going through additional security.

Yes, it was sloppy of Samsung to allow the baseband CPU to write to parts of the disk outside of its little space in /etc. Guess what else was sloppy? The recent GnuTLS vulnerability that completely disabled security for millions of systems. Let's hear about what the GNU foundation is doing to prevent a repeat of "goto fail," not FUD about other people's work.

So basically, this is yet another example of Samsung's ineptness. Once again we see flaws caused by their fixation with smearing their shitty software on an otherwise good OS. All the more reason to run stock Android, I say.

---

And before Samsung’s defenders try to pile in here and say “But, but, but, Apple!!!” … nobody cares about Apple. This is Samsung messing up Android all on their own, and it’s absolutely not a problem with Android.

Use a Nexus and everything is fine.

This is software running on the radio baseband processor itself, and is *not* part of the OS running on the phone SoC (or rather, the AP) itself.

IOW, the version of Android running on the device doesn't matter. You seem to have skipped over the part where they demonstrated the issue while running CyanogenMod.

Actually, the original post clarifies that the "backdoor" is part of the OS on the application processor, which accepts certain commands from the baseband processor. That's why replacing the OS with Replicant (or any other Android fork, really) removes this functionality.

Quote:

While working on Replicant, a fully free/libre version of Android, we discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a backdoor that lets the modem perform remote file I/O operations on the file system.